improve basic authentication parsing for OIDCOAuthAcceptTokenAs basic

Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Sep 9, 2024 · 94f832f · 94f832f
1 parent f7beb71
commit 94f832f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,7 @@
 09/09/2024
 - fix accepting custom cookie names in OIDCOAuthAcceptTokenAs cookie:<name>; see #1261; thanks @bbartke
 - bump to 2.4.16.4rc0
+- improve basic authentication parsing when using OIDCOAuthAcceptTokenAs basic
 
 09/06/2024
 - allow overriding globally set OIDCCacheType back to shm in vhosts

diff --git a/src/oauth.c b/src/oauth.c
@@ -210,10 +210,10 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, const char **access_token
 			oidc_debug(r, "authorization header found");
 
 			apr_byte_t known_scheme = 0;
+			char *scheme = ap_getword(r->pool, &auth_line, OIDC_CHAR_SPACE);
 
 			/* look for the Bearer keyword */
-			if ((_oidc_strnatcasecmp(ap_getword(r->pool, &auth_line, OIDC_CHAR_SPACE), OIDC_PROTO_BEARER) ==
-			     0) &&
+			if ((_oidc_strnatcasecmp(scheme, OIDC_PROTO_BEARER) == 0) &&
 			    (accept_token_in & OIDC_OAUTH_ACCEPT_TOKEN_IN_HEADER)) {
 
 				/* skip any spaces after the Bearer keyword */
@@ -226,7 +226,8 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, const char **access_token
 
 				known_scheme = 1;
 
-			} else if (accept_token_in & OIDC_OAUTH_ACCEPT_TOKEN_IN_BASIC) {
+			} else if ((_oidc_strnatcasecmp(scheme, OIDC_PROTO_BASIC) == 0) &&
+				   (accept_token_in & OIDC_OAUTH_ACCEPT_TOKEN_IN_BASIC)) {
 
 				char *decoded_line;
 				int decoded_len;
@@ -244,7 +245,7 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, const char **access_token
 			}
 
 			if (known_scheme == 0) {
-				oidc_warn(r, "client used unsupported authentication scheme: %s", r->uri);
+				oidc_warn(r, "client used unsupported authentication scheme: %s", scheme);
 			}
 		}
 	}